Two recent New York Times articles sparked an interesting discussion in the legal community about data security measures at law firms. One article, Spying By N.S.A. Ally Entangled U.S. Law Firm, describes how government surveillance is capturing attorney-client email communications. The other article in Dealbook, Law Firms Are Pressed On Security for Data, describes how clients are demanding their lawyers step up their data security measures.
Attorney data security is a topic near and dear to the heart of our General Counsel Jim Brashear. Jim has invested many hours writing articles, speaking at legal and security conferences and participating in webinar panels with the goal of raising the legal community’s awareness to the significant need for data protection. He is a sought-after resource on the topic, so who better to have a Q&A with on an issue that is gaining speed in the media and the legal industry.
Does the fact that law firms are victims of hacking or email interception mean they don’t take data security seriously?
No. Law firms do take data security seriously. Unfortunately, law firms are targets for cyber thieves and spies, because law firms are a treasure trove of sensitive information for many clients – and law firms generally are perceived by data thieves to have relatively lower cyber security standards than their clients. Lawyers have ethical obligations to take reasonable steps to protect their clients’ confidential information and maintain data security measures, but the cyber risks for law firms are rapidly changing with increased hacking and data interception and greater use of mobile devices and cloud computing. There have also been recent changes in ethics guidance about lawyers’ usage of technology. The real question is whether typical law firm cyber security measures continue to be adequate.
Who decides that a law firm’s data security measures are adequate?
Ultimately, the law firm’s client gets to decide whether the law firm is adequately protecting that client’s data. A client might require that its lawyers implement particular cyber security measures. That’s the sort of behavior reported in the recent New York Times Dealbook article. Alternatively, a client may choose to take its legal representation business elsewhere because of cyber risk concerns. So, the ability to offer sophisticated data security measures can be a services differentiator for a savvy law firm. The law firm’s engagement letter should invite the client to request enhanced data security measures when dealing with particularly sensitive data or a heightened risk of unauthorized access. The letter should solicit the client’s informed consent to the firm’s normal, reasonable cyber security measures.
What keeps lawyers from implementing additional data security measures?
There are many reasons that law firms have been slow to adopt additional data security steps, including:
- •Conflicting Client Standards: Unlike companies that implement cybersecurity to protect their own proprietary information, law firms are obligated to protect information that belongs to many different clients. Those clients may insist on multiple, conflicting standards about what information they consider to be particularly sensitive and how that information should be protected. It’s difficult for law firms to manage multiple, conflicting standards and technology solutions. So, the law firm waits to implement additional measures until an important client demands additional steps – perhaps with the hope that the costs can be charged back to that client.
•Management Challenges: Lawyers may not fully understand the risks and may be relying on the law firm’s IT staff to address the issues. Meanwhile the IT staff may be waiting for the lawyers to decide that additional steps are needed. Law firms typically are managed by reaching a consensus among the partners. It’s hard to get two lawyers to agree on anything, much less getting a whole bunch of lawyers to agree to adopt tools that don’t lead to more billable time or that they perceive may waste time due to increased complexity. So, law firms can be slow to make decisions about data security.
•Resistance to New Technology: Lawyers focus their efforts on learning the law and providing counsel to clients. It’s rare to find a lawyer with time to invest in learning a new technology – even when that technology ultimately benefits clients. So, law firms sometimes don’t implement additional cyber security measures, because their lawyers think the technology will be hard to learn or use.
•Lack of State Bar Mandates: Lawyers tend to make rules-based decisions about implementing data security measures and, based on current ethics rules, law firms are likely to say that there are no clear requirements for law firms to implement additional data security measures. My earlier posts on our ZixCorp Insight blog describe reasonable steps that law firms could take to meet evolving ethics guidance when using email or other Cloud services.
How might law firms avoid some of those implementation hurdles?
Managing data security is easier when law firms, clients, regulators and others share the same data security standards and tools. For example, there’s huge convenience in a large community of users who share the same email encryption platform. So law firms should consider the benefits of joining a widely accepted user community.
You have to strike the right balance between convenience and security. Law firms should also look for security tools that are as transparent as possible to end users. The easier enhanced data security measures are to implement and use, the easier they will be for lawyers and their clients to accept and adopt.
Interested in posing your own question to Jim? Comment on our post or contact him through Twitter at @jfbrashear.